Avoid Active Directory Mistakes in Windows Server 2008

When customers install Microsoft Active Directory Domain Services (AD DS) in Windows Server 2008 or Server 2008 R2, a couple of issues sometimes comeup. One issue involves installation; another is about Microsoft's recommendations for running domain controllers (DCs) as virtual machines (VMs).

These issues might be familiar to experienced administrators. But if you're a less-experienced administrator who needs to replace DCs that run WindowsServer 2003 with those that run Server 2008 R2, this article will shed some light on these issues and can help you avoid problems.

Adprep-Related Errors

Adprep is a utility that you run to prepare an existing Active Directory (AD) environment for the first DC that runs a newer OS, such as Server 2008R2. If you have an AD environment in which all DCs run Server 2008 or Windows 2003, and you want to add the first DC that runs Server 2008 R2, then youneed to run certain Adprep commands:

1. Run adprep /forestprep on the schema master.

2. Run adprep /domainprep on each domain's infrastructure master.

3. If you plan to install a read-only DC (RODC -- new in Server 2008), then you also need to run adprep /rodcprep for every domain that will have anRODC.

The article "The Adprep Process" tells more about this process, which is straightforwardenough. Still, administrators often have questions:

The Microsoft article "Running Adprep.exe" explains all that and more: the utility'sgeneral purpose, the process for running the necessary commands, and how to validate the utility's success. (If you want to review the exact changesthat Adprep operations make to prepare an existing AD, see the Microsoft articles "Windows Server 2008: Appendix of Changes to Adprep.exe to Support ADDS"   and "Windows Server 2008 R2: Appendix of Changes to Adprep.exe to Support AD DS." )

When running Adprep, plan for these important factors:

If you can prepare for these potential issues and follow the process that the previously mentioned articles describe, you should have no trouble. Insome cases, though, you might see one of these errors during an Adprep operation:

The overall Server 2008 or Server 2008 R2 upgrade process is described in the Microsoft article "Upgrade Domain Controllers: Microsoft Support QuickStart for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains."

DNS Delegation Error

After Adprep completes successfully, you can install the first DC that runs Server 2008 or Server 2008 R2 into your existing AD. If you choose toinstall the DNS server role during the DC installation, you might see this warning, which Figure 1 shows:

Figure 1: DNS delegation error

 "A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If youare integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliablename resolution from outside the domain 'treyresearch5.net.' Otherwise, no action is required."

Before Server 2008, many customer problems with AD installations were caused by underlying problems with the DNS infrastructure, such as missing orincorrect DNS delegation records. One of Microsoft's goals for improving AD DS installation in Server 2008 was to help customers initially configurethe correct DNS infrastructure and then to help them maintain that configuration.

To that end, the AD DS installation wizard (Dcpromo) in Server 2008 and later automatically tries to create a DNS delegation when you create a newforest. The DNS delegation helps to ensure that clients from other domains can resolve host names in the domain of the new DC. If you aren't concernedabout the ability of people in other domains or on the Internet to resolve DNS name queries for computer names in the local domain, you can disregardthe message that Dcpromo uses to create this DNS delegation; simply click Yes when the message appears.

The message appears when these three conditions are met:

Dcpromo tries to create the delegation to ensure that computers in other domains can resolve DNS queries for hosts, including DCs and member computers,in the DNS subdomain.

Dcpromo can automatically create such delegations only on Microsoft DNS servers; the effort will fail if the parent DNS domain zone resides onthird-party DNS servers such as BIND.

You can see this error when you install DCs in forest root domains that have two- or three-part names (such as contoso.com or corp.contoso.com) andthat are immediately subordinate to top-level Internet domains such as .com, .gov, .biz, .edu, or two-letter country code domains such as .nz and .au.If your AD domain is to be registered on the Internet by the time it is promoted, the logging of this error might indicate that your ISP or DNS hostingprovider hasn't yet created the necessary delegation to your AD subdomain.

You might also encounter this error when creating DCs in a forest root domain that is subordinate to an existing corporate intranet namespace. Forexample, if BIND DNS servers own the internal domain contoso.com, then you'll encounter this error when Dcpromo attempts to create the delegation fromcontoso.com to the AD forest root domain's corp.contoso.com subdomain.

For Dcpromo to create the delegation on authoritative DNS servers in the parent domain, these conditions must be met:

Given that many AD domains aren't registered with an Internet registrar, and that the DNS servers for top-level domains (TLDs) run BIND, you can safelyignore this error message and click Yes to continue the promotion.

When delegations should exist between the parent domain and the subdomain that's being promoted, you can create and validate those delegations beforeor after the Dcpromo promotion. There's no reason to delay the promotion of a new DC that presents this error. To avoid the error message in futureDcpromo promotions, take one of these actions:

For more information about DNS delegation, see the Microsoft article "Understanding Zone Delegation."  If zone delegation isn't possible in your situation, you might consider other methods forproviding name resolution from other domains to the hosts in your domain. For example, the DNS administrator of another domain could configureconditional forwarding, stub zones, or secondary zones to resolve names in your domain. These Microsoft articles explain these concepts in more detail:

· "Understanding Zone Types"

· "Understanding stub zones"

· "Understanding forwarders" (go.microsoft.com/fwlink/?linkid=164778)

Virtual DCs and Update Sequence Number Rollback

Although Microsoft has published guidance and best practices for running DCs as VMs (see "Running Domain Controllers in Hyper-V"), some customers who run virtualDCs have problems with update sequence number (USN) rollback. The problems are often caused by improper restores of the VM. For example, replicationerrors appear and are determined to be caused by a USN rollback, which was the result of a restored snapshot of the virtual DC.

Only supported backup solutions, such as Windows Server Backup, can be used to restore a DC. Microsoft has recently revised the recommendations forrunning DCs as VMs, specifically the explanation of USNs and how to prevent USN rollback. These revisions should make the information more concise andclear and help customers avoid problems.

"The Specified User Already Exists" Error

In some cases, AD installation on a workgroup server might fail and return this error on the Summary page: "The operation failed because: The attemptto join this computer to the failed. 'The specified user already exists.'" In this situation, the dcpromoui.log file, which isstored in the %windir%debug folder, contains the text that Figure 2 shows.

Figure 2: Error text in the dcpromoui.log file

This error most often indicates that the server you're promoting has the same host name as another DC. Follow these steps to fix the issue:

1. If you're replacing a previously demoted DC with a new DC of the same name, make sure to remove the old DC's metadata. In Server 2008 and later, ADsnap-ins provide a simplified way to remove DC metadata. If necessary, you can also use the legacy method: Ntdsutil.

2. If Dcpromo continues to fail with this error, review the dcpromoui.log file to identify the name of the source DC (aka the helper DC) that the newreplica DC is using for replication. Search the file for the section that begins at callout A in Figure 3. The name of the source DC appears in theoutput at callout B.

Figure 3: Searching dcpromoui.log for the helper DC name 

3. Verify that the source DC has inbound replicated the removal of the DC metadata (i.e., the conflicting DC machine account and NTDS Settingsobjects). If the DC machine account still exists, then determine the reason:

The error can have other root causes aside from a conflicting machine account. These Microsoft articles discuss these other possible causes:

Sometimes Dcpromo fails while trying to create the NTDS Settings object for the DC. In this case, several errors might display a similar message; theextended error information will help to identify the root cause. Look for text such as "The operation failed because..." or "Active Directory could notcreate the NTDS Settings object...."

For example, Dcpromo can fail with this on-screen error: "The operation failed because: Active Directory could not create the NTDS Settings object forthis domain controller on the remote domain controller . Ensurethe provided network credentials have sufficient permissions.<%Extended error string%>". Be aware that the boilerplate text "Ensure the providednetwork credentials have sufficient permissions" can be misleading; the failure to create the NTDS Settings object isn't necessarily caused byinsufficient credentials. Table 1 lists possible extended error strings for this error message.

Another common cause of AD installation failure is not granting the Administrators group theEnable computer and user accounts to be trusted for delegation user right. This right is a Group Policy setting that is enabled for theAdministrators group by default in the Default Domain Controllers Policy.

When a DC is selected as a replication partner during the promotion of a replica DC, the selected DC requires access to resources on the computer thatyou're promoting. If the Enable computer and user accounts to be trusted for delegation user right is not granted to the Administratorssecurity group, then each access request for a resource fails with the "Access denied" error that Figure 4 shows.

 
Figure 4: Access denied error

To resolve the error, use Group Policy Management Console (GPMC) and the Group Policy Results tool (Gpresult) to verify that the Administrators groupis granted the Enable computer and user accounts to be trusted for delegation user right in the Default Domain Controllers Policy. The path inGroup Policy Editor is Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment Enable computer anduser accounts to be trusted for delegation.

After a DC is running Server 2008 R2, you can run the AD DS Best Practices Analyzer (BPA) to catch this kind of policy-setting misconfiguration. Theappropriate BPA rule isn't included in the original set of rules but is part of a supplementary set of rules that's delivered via Windows Update. Thisrule will be applied to a DC that runs Server 2008 R2.

When you run the AD DS BPA, another rule from the same supplementary set can help prevent a couple of common Group Policy setting misconfigurationsthat are root causes of DC replication failure: not granting the Access this computer from the network user right to the Administrators,Enterprise Domain Controllers, or Authenticated Users security groups, or having the Enterprise Domain Controllers, Everyone, Administrators, orAuthenticated Users security groups in the settings of the Deny access to this computer from network user right. Any DC that tries toreplicate from a DC with one of the aforementioned policy settings might fail. Users and computers might also experience failure to apply Group PolicyObjects (GPOs).

To resolve that error, follow the steps in the BPA to verify that the DCs have this user right granted to the appropriate security principals. You canuse the GPMC and Gpresult settings in Table 2 to verify that Group Policy reflects the correct settings.

Better Troubleshooting

The good news is that the new Windows PowerShell cmdlets for AD DS installation and replication management in the Windows Server 8 address theseissues. In the meantime, explaining these issues will hopefully help administrators who need to install and troubleshoot DCs that run Server 2008 R2 tobe better informed and less hindered.